Inside FortiOS: Server Load Balancing

Server Load Balancing combined with
NGFW and UTM protection

By introducing comprehensive server load balancing functionality
to Next Generation Firewall (NGFW) and Unified Threat Management (UTM) solutions FortiOS takes threat protection
to a whole new level.
Rather than going to the expense of deploying multiple
solutions to protect your server farm, you can combine
firewalling, NGFW, UTM and load balancing into
a single FortiGate unit or cluster.
The benefit of consolidation is not only limited to cost.

Key Features & Benefits

Increased resilience

A consolidated solution results in significantly simplified network
architecture. High availability can be provided for all technologies with just
a pair of devices rather than several.

Reduced operational overheads

A unified management solution consisting of a single GUI, logging
and reporting, SNMP monitoring and other management functions
will significantly reduce the resources required to manage the multiple
technology areas. A consolidated solution provides a single point of contact
for support and renewals rather than having to deal with multiple vendors.

The FortiOS server load balancing feature set contains all of the features you would expect of a server load balancing
solution. Traffic can be balanced across multiple backend servers based on multiple load balancing schedules
including static (failover), round robin, weighted to account for different sized servers, or based on the health and
performance of the server including round trip time and number of connections.

The load balancer supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL/TLS, and generic TCP/UDP and IP protocols.
Session persistence is supported based on the SSL session ID, based on an injected HTTP cookie, or based on the
HTTP or HTTPS host. SSL/TLS load balancing includes protection from protocol downgrade attacks. Server load balancing is supported on most FortiGate devices and includes up to 10,000 virtual servers on
our high end systems.

SSL/TLS offloading

With more and more critical business applications being made available online and in the cloud, the demand
for secure remote continues to increase. While securing web and email applications with SSL/TLS is essential, this
protection adds significant performance overheads. An SSL/TLS protected application running on a standard server will
perform all the costly encryption/decryption and key exchange routines in software which uses vital CPU resources
that should be available for running the application. The consequence of this is that many more or more powerful
servers are required to deliver the application.

FortiGate SSL/TLS offloading is designed with the explosion of SSL/TLS applications in mind. The key exchange and
encryption/decryption tasks are offloaded to the FortiGate unit where they are accelerated using FortiASIC
technology providing significantly more performance than a standard server or load balancer could handle. This
frees up valuable resources on the server farm which can be used to run a more responsive business. Server load balancing offloads most SSL/TLS versions including SSL 3.0, TLS 1.0 and TLS 1.2 and supports full mode or half mode SSL offloading with DH key sizes up to 4096 bits.

SSL/TLS content inspection

Traditionally, SSL encrypted application data would be invisible to any border gateway filtering solution. This
is because the encryption process prevents the payload of any connection from being seen other than by the
communicating systems. FortiGate SSL Offloading allows the application payload to be inspected before
it reaches your servers; preventing intrusion attempts, blocking viruses, stopping unwanted applications, and
preventing data leakage.

Health Check

Health checking can be enabled to prevent load balancing traffic from being sent to a non-functioning real server.
Real server health can be monitored using ICMP ping or more sophisticated TCP testing. The most comprehensive
test is HTTP which verifies that the HTTP application is responding and that it is returning the correct content.

Health checking removes real servers from the load balancing cluster which are returning invalid content. The
removal of real servers from the clusters is based on the Interval, Timeout and Retry Settings:

Interval

How often to test the server.

Timeout

What maximum response time is permissible before a server is treated as non-functional.

Retry

How many failures before the server is considered “dead” and removed from the cluster.

Server Monitoring and Management

The health and performance of real servers can be monitored from the FortiGate GUI. Virtual servers and their
assigned real servers can be monitored for health status, if there have been any monitor events, number of active
sessions, round trip time and number of bytes processed. Should a server become problematic and require
administration, it can be gracefully removed from the Real Server pool to enable disruption free maintenance. When
a removed real server is able to operate it can gracefully be added back to the virtual server.

HTTP Multiplexing

A performance saving feature of HTTP/1.1 compliant web servers is the ability to pipeline requests on the same
connection. This allows a single HTTPD process on the server to interleave and server multiple requests. HTTP
multiplexing reduces the number idle sessions, too many of which can exhaust the resources on a server. The
Fortinet solution has the ability to take multiple separate inbound sessions and multiplex them over the same
internal session. This reduces the load on the backend server and increases the overall performance.